May 19, 2016

German journalists about working with the Snowden documents

Last Monday, the website The Intercept started publishing larger batches of documents from the Snowden trove, so they can now also be examined by the public. It's a new phase after previously documents were generally disclosed as part of journalistic reports, but the number of such publications steadily declined over the last two years.

For how it was to work with the Snowden documents can be learned from an interesting interview with two journalists from the German Magazine Der Spiegel. They not only published a whole range of articles based upon the Top Secret NSA documents, but also a book which is much more informative than that of Glenn Greenwald.

The interview with Marcel Rosenbach and Holger Stark from Der Spiegel, as well as with Svea Eckert from the German broadcaster NDR, was part of the Network Research (Netzwerk Recherche) annual conference, which was held on July 3 and 4, 2015:

Journalists from Der Spiegel were provided with several ten thousand digital documents through the documentary film maker Laura Poitras, who had been in direct contact with Edward Snowden.

According to Holger Stark, it was clear that Snowden had sorted the documents, not very fine-grained, but he had put them in a few folders, according to topics that had his special interest, like operations of the NSA divisions TAO (hacking) and SSO (cable tapping). Rosenberg said that it looked like Snowden selected the documents based upon his concerns regarding civil liberties and that he did not do some "collect it all" scraping.

(although in the film CitizenFour, Snowden himself said: "I cast such a wide net" that it would be difficult for NSA to determine how many documents he actually took)*

The journalists tried to search and filter the documents automatically, but a huge number of them had to be read and analysed manually, and read over and over again, in order to understand what was in them and what their importance could be. For that, they also consulted experts for cryptography and network architecture as well as former NSA employees like Binney and Drake (independent intelligence experts were not mentioned).

It was possible to ask Snowden, but not in a regular or easy way, also because he wanted to stay at a distance of the journalistic work. The journalists couldn't tell or estimate how many documents Snowden actually took. Der Spiegel got the documents unredacted but in the documents that were published, editors redacted most of the names.

Der Spiegel frequently asked NSA to review the documents they wanted to publish, in order to prevent that lives could become in danger. Sometimes NSA asked to remove things, but when it was obvious that that was for political reasons, the request was ignored. But in a few other cases Der Spiegel didn't publish or partly redacted the documents.

BOUNDLESSINFORMANT

Despite all their efforts, there were still many gaps and questions. This resulted in for example a wrong interpretation of NSA's data visualisation tool BOUNDLESSINFORMANT. In August 2013, Der Spiegel published charts from this tool that were initially interpreted as showing how many data NSA collected from several European countries. Soon, BND and NSA denied this and explained that the charts show data that European agencies provided to the Americans.

Holger Stark admitted that their initial interpretation was apparently not correct, but that there are still many questions about this issue. One of the difficulties was that NSA and US government were not willing to respond to questions about this program, so they decided to publish their best guess. Rosenbach added that major foreign papers also shared their initial interpretation (maybe because the wrong interpretation came from Greenwald?).

One document that wasn't published, but only reported about is the National Intelligence Priority Framework (NIPF), which contains the priorities for the US intelligence community as set by the White House. During the interview a part of the original NIPF document was shown for the first time:

The NIPF consists of a large matrix with each cell indicating the intersection between a state or non-state actor and an intelligence topic. A readable reconstruction of the NIPF based upon this new piece and earlier sources, can be found here (pdf).

Over time, Rosenbach and Stark learned to interpret the Snowden documents by combining information from multiple documents. A separate document, an internal NSA newsletter from December 2009, for example provided additional information about the priorities of the NIPF chart:

This newsletter says that updated versions of the NIPF are released about twice a year, and that these are run against the National SIGINT Requirements Process (NSRP), which sets the priorities for acquiring Signals Intelligence (SIGINT). The 5 levels of NIPF priorities are then translated (by the SIGINT Committee or SIGCOM) to the 9 levels of SIGINT priorities, based upon the importance of the SIGINT contribution.

The first NIPF was issued in 2003 and at that time the matrix contained over 2300 cells! There were hundreds of issues with priority 1 and 2, way too many to be managable. So over the years the number of priorities, particularly the numbers of priority 1s and 2s had been reduced.

According to the journalists, the newsletter also explains that topics with priority 1 and 2 are meant for the president and the White House, while priority 3 is for cabinet ministers, the Chiefs of Staff and the Pentagon. For these highest priorities, covert intelligence methods are used. For priorities 4 and 5 open sources may be sufficient and their results are mainly used for political analysis.

For the Spiegel journalists this bureaucratic process illustrates that NSA isn't an agency that went rogue, but that they are directed by the political information needs from the White House (something that was usually conveniently ignored).

A MONSTERMIND/CYBERCOP presentation

Svea Eckert, a documentary maker for the regional German broadcasster NDR, was also present at the interview, and she had brought with her the laptop they had used for working with the Snowden documents. The computer was newly bought for this purpose and was never connected to the internet.

At NDR, Eckert was doing research for a documentary about the internet as a battle space, when a colleague of her in the US was provided with a thumb drive containing Snowden documents that had been selected on their relevance for the topic of the documentary. It wasn't told who the middlemen for these documents were, and apparently different German news media got documents from different sources.

The source had said that for these documents only the external TAILS operating system should be used. The same system was used by other people who worked with Snowden documents, like Laura Poitras, Glenn Greenwald, and Barton Gellman. On the dedicated laptop, Eckert showed an example of what these documents look like:

In the window we see for example an internal NSA newsletter with an interview with a hacker from NSA's TAO division, a Cyber Warfare Lexicon and a powerpoint presentation. The latter has the filename "MONSTERMIND_presentation (copy).pptx", but when it was opened, it actually had the cover term CYBERCOP on the front slide and it was prepared by the "CyberCOP Product Manager".

Eckert explained that although most of these documents were very interesting, not everything was newsworthy enough or in the public interest to publish. Also the opinions of various experts had to be asked, because journalists were not always able to judge what the context or the importance of particular pieces of information was.

CYBERCOP

The CYBERCOP presentation is from April 11, 2013 and contains several screenshots of a graphical user interface in which NSA analysts can see where cyber attacks occur. The map part seems very similar to a well-known flashy visualisation on the website of the Norwegian cyber security company Norse:

It was decided not to publish the full MONSTERMIND/CYBERCOP presentation, but the documentary Schlachtfeld Internet ("Battlefield Internet") did contain several slides, which showed that NSA is apparently powerful enough to trace such attacks and that therefore the agency must be present at numerous points on the internet. This was considered newsworthy enough to report about.

In the documentary itself it was explained that an analysis tool called CYBERCOP makes it possible for NSA to monitor "cyber war" in real time. The presentation described at least one specific attack: on April 10, 2012, the US federal banking system in New York was succesfully attacked by Iran, not directly, but through thousands of computers around the world, controlled through internet servers in Germany.

Broadcaster NDR published three slides of the CYBERCOP presentation here (pdf). Two of them show the CYBERCOP interface in a high resolution:

(click to enlarge)

MONSTERMIND

The MONSTERMIND system was first disclosed in a very long interview that James Bamford had with Edward Snowden in August 2014. There, Snowden said that MONSTERMIND is a frightening program that automated "the process of hunting for the beginnings of a foreign cyberattack".

It could also automatically prevent attacks from entering the country, but its unique capability is that "instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement" - with the risk of hitting the wrong one, as Snowden warned.

The "killing" capability was also described in Eckert's documentary, but without mentioning the codename MONSTERMIND. It didn't became clear whether this just came from Snowden's recollection or that it's mentioned in the CYBERCOP presentation (or other documents).

Eavesdropping on chancellor Merkel

The journalists from Der Spiegel also found interesting things purely by accident. The cache of documents for example contained an NSA presentation from the Center for Content Extraction (CCE, unit designator T1221) about a system to automatically sort out interesting and useful parts of intercepted phone calls.

One slide of this presentation shows an example list of some chiefs of state (cos), among which German chancellor Angela Merkel was listed. The presentation was not about actual interception operations, but did provide an indication that Merkel had been a target:

Der Spiegel published this slide on March 29, 2014 and the full presentation (pdf) was released online in June 2014. That chancellor Merkel had been a target of NSA had already been revealed in October 2013, based upon a database entry that allegedly did not came from the Snowden documents, but from another and yet unidentified second source.

So far, it seems that this example from the chiefs-of-state list is the only confirmation of NSA's targeting of chancellor Merkel that came from the Snowden documents. The intercepted content published by Wikileaks is also supposed to be from the second source.

During and after the interview, Stark, Rosenbach and Eckert were also asked about various aspects of working with Snowden Documents:

- Contrary to some claims made by the US government, there seemed to be little danger that these documents could endanger the lives of operatives or other people. The work that NSA does is highly technical and therefore the documents hardly contain any names. Most of the names they do contain are of authors, not of operative field agents.

- Eckert found it disappointing that the documents had almost no code or malware signatures in them, which could have been useful to identify hacking operations conducted by the NSA (Eckert said the XKEYSCORE rules were not included in the set she received). Again this was because the documents were often for management and training purposes and contained information on a meta level instead of actual operational details.

- The journalists were aware of the fact that these presentations had to be judged according to their intended purpose and audience and that the audio of these presentations was of course absent, although some presentations came with speaker's notes, which proved to be useful. Important was also to that presentations will often have presented things in a positive way.

Finally, when asked about the future of the Snowden documents, the journalists thought that it could be good to make them available for scientific research, but that it's not up to them to decide. They were not in favor of making all the documents publicly available, like in the way Wikileaks used to do.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==